Menu
▾
▴
Re: [Owasp-input-api-developers] spell checked version.
|
From: Gabriel L. <ga...@bu...> - 2002-06-18 22:45:26
|
Thanx for putting this out so quick. Sounds to me like there is still some disagreement on what and where this project should go. I'd like to try and facilitate a discussion on this. So, up to now I've been more of a facilitator then a participant... Let me participate a little. First, I kind of feel like we've been setting our sites a little low - and have been oversimplifying what we need to do. What I think we should be trying to do is to build a multi-layered multi-language set of tools to make developing secure web applications simple and easy. What I think this goal implies is that we need to look at tools to help in most of the situations web applications developers find themselves in trouble. From the simple side of things which is data validation/cleaning to the more complex side which includes things like helping detect parameter tampering and such (basically where critical information is foolishly encoded into hidden values in forms) and such. So, I see the first step of this process being developing some simple api's that allow developers to start incorporating this stuff into their applications. I think at this level it would be key to make this stuff as generic as possible as the code will need to be ported to multiple environments: Python, Java, PHP, Perl, C/C++, ColdFusion and so on... Then once this basic layer is built, we need to start looking at how to incorporate this stuff into the general flow of things to make it somewhat easy and automatic for developers to incorporate it. And finally, we need to incorporate technology specific solutions into the api so that we can become a layer of protection wrapped around the technology supporting it where those technologies are weak or create holes. So, I actually think that alex's document describes the foundation of what my vision is for at least the first phase of what I think we should do... -gabe |
